P
US8726016B2ExpiredUtilityPatentIndex 52

Intelligent integrated network security device

Assignee: ZUK NIRPriority: Feb 8, 2002Filed: Sep 14, 2012Granted: May 13, 2014
Est. expiryFeb 8, 2022(expired)· nominal 20-yr term from priority
Inventors:ZUK NIR
H04L 63/0218H04L 63/0254H04L 63/0263H04L 63/0227H04L 63/1416H04L 63/02H04L 63/12H04L 69/22H04L 63/1441H04L 63/0209
52
PatentIndex Score
0
Cited by
172
References
18
Claims

Abstract

Methods, computer program products and apparatus for processing data packets are described. Methods include receiving the data packet, examining the data packet, determining a single flow record associated with the packet and extracting flow instructions for two or more devices from the single flow record.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method comprising:
 receiving, by one or more processors of a device, a packet in a flow of packets associated with a session; 
 determining, by the one or more processors and using data of the packet, that a data structure does not store information identifying the flow of packets; 
 communicating, by the one or more processors and to a plurality of security devices, particular information that includes:
 information identifying a location of the packet in a memory associated with the one or more processors, and 
 information identifying a position of the packet in the flow of packets, the plurality of security devices being included in the device; 
 
 obtaining, by the one or more processors and from each security device of the plurality of security devices, information relating to processing packets associated with the session,
 the information, relating to processing the packets associated with the session, being obtained from each security device of the plurality of security devices based on determining that the data structure does not store the information identifying the flow of packets; 
 
 creating, by the one or more processors and for storing in the data structure, a single entry for storing the information identifying the flow of packets based on determining that the data structure does not store the information identifying the flow of packets,
 the single entry being created using the information, obtained from each security device of the plurality of security devices, relating to processing the packets associated with the session; and 
 
 processing, by the one or more processors, the packet based on the information, obtained from each security device of the plurality of security devices, relating to processing the packets associated with the session. 
 
     
     
       2. The method of  claim 1 , where obtaining, from each security device of the plurality of security devices, the information relating to processing the packets associated with the session includes:
 communicating, with each security device of the plurality of security devices, to determine a security policy for the packets associated with the session. 
 
     
     
       3. The method of  claim 1 , where obtaining, from each security device of the plurality of security devices, the information relating to processing the packets associated with the session includes:
 communicating, with a first security device of the plurality of security devices, to determine whether to block the packet based on the first security device determining whether the packet matches one or more attack signatures for one or more attempted network security intrusions. 
 
     
     
       4. The method of  claim 3 , where obtaining, from each security device of the plurality of security devices, the information relating to processing the packets associated with the session further includes:
 communicating, with a second security device of the plurality of security devices, to obtain a network policy associated with the session,
 the second security device being different than the first security device. 
 
 
     
     
       5. The method of  claim 1 , further comprising:
 storing the single entry, in the data structure, to obtain a stored single entry,
 the stored single entry including:
 the information identifying the flow of packets, 
 session information associated with the session, and 
 device-specific information associated with each security device of the plurality of security devices. 
 
 
 
     
     
       6. The method of  claim 5 , further comprising:
 receiving another packet in the flow of packets associated with the session; 
 identifying the single entry, in the data structure, using data of the other packet; and 
 
       processing the other packet based on the single entry. 
     
     
       7. The method of  claim 1 , where each security device, of the plurality of security devices, includes a different one of an intrusion prevention system, a firewall, or a flow-based router. 
     
     
       8. A non-transitory computer-readable medium storing instructions, the instructions comprising:
 one or more instructions which, when executed by one or more processors of a device, cause the one or more processors to receive a packet in a flow of packets associated with a session; 
 one or more instructions which, when executed by the one or more processors, cause the one or more processors to determine, using a portion of the packet, that a data structure does not store information identifying the flow of packets associated with the session; 
 one or more instructions which, when executed by the one or more processors, cause the one or more processors to communicate, to a plurality of security elements, particular information that includes:
 information identifying a location of the packet in a memory associated with the one or more processors, and 
 information identifying a position of the packet in the flow of packets, the plurality of security elements being included in the device; 
 
 one or more instructions which, when executed by the one or more processors, cause the one or more processors to obtain, from each security element of a plurality of security elements, information relating to processing packets associated with the session,
 the plurality of security elements including a firewall and an intrusion prevention system, 
 the information, relating to processing the packets associated with the session, being obtained from each security element of the plurality of security elements based on determining that the data structure does not store the information identifying the flow of packets; 
 
 one or more instructions which, when executed by the one or more processors, cause the one or more processors to create a single entry for storing the information identifying the flow of packets based on determining that the data structure does not store the information identifying the flow of packets,
 the single entry being created using the information, obtained from each security element of the plurality of security elements, relating to processing the packets associated with the session; 
 
 one or more instructions which, when executed by the one or more processors, cause the one or more processors to store the single entry in the data structure; and 
 one or more instructions which, when executed by the one or more processors, cause the one or more processors to determine whether the packet is associated with an attempted network security intrusion based on the information, obtained from each security element of the plurality of security elements, relating to processing the packets associated with the session. 
 
     
     
       9. The non-transitory computer-readable medium of  claim 8 , where the single entry, stored in the data structure, includes:
 the information identifying the flow of packets, 
 session information associated with the session, and 
 device-specific information associated with each security element of the plurality of security elements. 
 
     
     
       10. The non-transitory computer-readable medium of  claim 8 , where the one or more instructions to determine whether the data structure stores the information identifying the flow of packets associated with the session include:
 one or more instructions which, when executed by the one or more processors, cause the one or more processors to determine, using the portion of the packet, that the data structure does not store the information identifying the flow of packets associated with the session. 
 
     
     
       11. The non-transitory computer-readable medium of  claim 10 , where the one or more instructions to obtain, from a security element of the plurality of security elements, the information relating to processing the packets associated with the session include:
 one or more instructions which, when executed by the one or more processors, cause the one or more processors to communicate, with each security element of the plurality of security elements, to determine a security policy for the packets associated with the session based on determining that the data structure does not store the information identifying the flow of packets associated with the session. 
 
     
     
       12. The non-transitory computer-readable medium of  claim 10 , where the one or more instructions to obtain, from each security element of the plurality of security elements, the information relating to processing the packets associated with the session include:
 one or more instructions which, when executed by the one or more processors, cause the one or more processors to communicate, with the intrusion prevention system, to determine whether to block the packet based on attack signatures for one or more attempted network security intrusions. 
 
     
     
       13. The non-transitory computer-readable medium of  claim 10 , where the plurality of security elements further include a flow-based router, and
 where the one or more instructions to obtain, from each security element of the plurality of security elements, the information relating to processing the packets associated with the session include:
 one or more instructions which, when executed by the one or more processors, cause the one or more processors to communicate, with the flow-based router, to obtain a network policy associated with the session. 
 
 
     
     
       14. A system comprising:
 a memory to store instructions; and 
 one or more processors to execute the instructions to:
 receive a packet in a flow of packets associated with a session; 
 determine, using a portion of the packet, that a data structure does not store information identifying the flow of packets associated with the session; 
 communicate, to a plurality of devices, particular information that includes:
 information identifying a location of the packet in a memory associated with the one or more processors, and 
 information identifying a position of the packet in the flow of packets; 
 
 obtain, from each device of the plurality of devices, information relating to processing packets associated with the session,
 the plurality of devices including a firewall and an intrusion prevention system, 
 the information, relating to processing the packets associated with the session, being obtained from each device of the plurality of devices based on determining that the data structure does not store the information identifying the flow of packets; 
 
 create, for storing in the data structure, a single entry for storing the information identifying the flow of packets,
 the single entry being created using the information, obtained from each device of the plurality of devices, relating to processing the packets associated with the session; and 
 
 determine whether the packet is associated with an attempted network security intrusion based on the information, obtained from each device of the plurality of devices, relating to processing the packets associated with the session. 
 
 
     
     
       15. The system of  claim 14 , where the one or more processors are further to:
 store the single entry in the data structure,
 the stored single entry including:
 the information identifying the flow of packets, 
 session information associated with the session, and 
 device-specific information associated with each device of the plurality of devices; and 
 
 
 process another packet, in the flow of packets, using the stored single entry. 
 
     
     
       16. The system of  claim 14 , where the plurality of devices further includes a flow-based router. 
     
     
       17. The system of  claim 14 , where, when obtaining, from each device of the plurality of devices, the information relating to processing the packets associated with the session, the one or more processors are further to:
 communicate, with a first device of the plurality of devices, to determine whether to block the packet based on the first device determining whether the packet matches one or more attack signatures for one or more attempted network security intrusions. 
 
     
     
       18. The system of  claim 17 , where, when obtaining, from each device of the plurality of devices, the information relating to processing the packets associated with the session, the one or more processors are further to:
 communicate, with a second device of the plurality of devices, to obtain a network policy associated with the session,
 the second device being different than the first device.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.